Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program

Video thumbnail (Frame 0) Video thumbnail (Frame 2572) Video thumbnail (Frame 3822) Video thumbnail (Frame 4506) Video thumbnail (Frame 5639) Video thumbnail (Frame 8676) Video thumbnail (Frame 10074) Video thumbnail (Frame 10709) Video thumbnail (Frame 13660) Video thumbnail (Frame 15147) Video thumbnail (Frame 16510) Video thumbnail (Frame 18884) Video thumbnail (Frame 20632) Video thumbnail (Frame 22892) Video thumbnail (Frame 24004) Video thumbnail (Frame 25004) Video thumbnail (Frame 26222) Video thumbnail (Frame 27369) Video thumbnail (Frame 28043) Video thumbnail (Frame 28811) Video thumbnail (Frame 29840) Video thumbnail (Frame 30914) Video thumbnail (Frame 31452) Video thumbnail (Frame 32312) Video thumbnail (Frame 33587) Video thumbnail (Frame 35428)
Video in TIB AV-Portal: Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program

Formal Metadata

Title
Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program
Alternative Title
Pwning theToughest Target, the Largest Bug Bounty in the History of ASR
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In recent years, Google has made many great efforts in exploit mitigation and attack surface reduction to strengthen the security of android system. It is becoming more and more difficult to remotely compromise Android phones especially Google’s Pixel phone. The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But our team discovered a remote exploit chain—the first of its kind since the Android Security Rewards (ASR) program expansion, which could compromise The Pixel phone remotely. The exploit chain was reported to Android security team directly. They took it seriously and patched it quickly. Because of the severity and our detailed report, we were awarded the highest reward (112,500) in the history of the ASR program. In this talk we will detail how we used the exploit chain to inject arbitrary code into system server process and get system user permissions. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer. It is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from the sandbox. The way we used for sandbox escaping is very interesting, rarely talked about before. All details of vulnerabilities and mitigation bypassing techniques will be given in this talk.
Markov chain Roundness (object) Multiplication sign Traffic reporting Flow separation Information security Alpha (investment) Computer programming Metropolitan area network Markov chain
Mobile Web Android (robot) Server (computing) Mobile Web Android (robot) Markov chain Graphical user interface System programming Arrow of time Information security Pixel Information security Physical system Alpha (investment) Physical system Vulnerability (computing)
Markov chain Dataflow Server (computing) Dependent and independent variables Code File format Menu (computing) Web browser Mereology Binary file Formal language Software bug Web 2.0 Mechanism design Bit rate Read-only memory Atomic number Synchronization Semiconductor memory Profil (magazine) Gastropod shell Data buffer Physical system Compact space Stochastic process Scripting language Dependent and independent variables Binary code Mathematical analysis Shared memory Code Internet service provider Binary file Cartesian coordinate system Web browser Formal language Markov chain Mechanism design Buffer solution Object (grammar) Musical ensemble Family
Functional (mathematics) Information management Computer file Logarithm Mathematical analysis Sound effect Markov chain Web 2.0 Graphical user interface Graphical user interface Video game console Vulnerability (computing) Condition number
Trail Functional (mathematics) Thread (computing) User interface Code Multiplication sign Mass Parameter (computer programming) Counting Content (media) Web 2.0 Uniform resource locator Bit rate Core dump Gastropod shell output Local ring Metropolitan area network Stochastic process Source code Assembly language Tape drive Content (media) Code Machine code Thread (computing) Markov chain Buffer solution Modul <Datentyp> Object (grammar) Data buffer
Graphics tablet Functional (mathematics) Content (media) Code Parameter (computer programming) Compiler Stack (abstract data type) Parameter (computer programming) Stack (abstract data type) Leak Exploit (computer security) Thread (computing) Number Markov chain Semiconductor memory Different (Kate Ryan album) Core dump Codierung <Programmierung> Fingerprint
Functional (mathematics) Code Parameter (computer programming) Compiler Stack (abstract data type) Parameter (computer programming) Content (media) Markov chain Leak Web 2.0 Read-only memory Function (mathematics) Core dump Table (information) Fingerprint Computer architecture
Functional (mathematics) Length Code Patch (Unix) Execution unit Exploit (computer security) Compiler Parameter (computer programming) Content (media) Number Element (mathematics) Leak Web 2.0 Read-only memory Different (Kate Ryan album) Semiconductor memory Core dump Address space Area Just-in-Time-Compiler Assembly language Content (media) Data storage device Shared memory Code Sound effect Complete metric space Exploit (computer security) Markov chain Inclusion map Type theory Message passing Pointer (computer programming) Rootkit Buffer solution Object (grammar) Table (information)
Point (geometry) Web page Markov chain Functional (mathematics) Server (computing) Module (mathematics) Stochastic process Code Exploit (computer security) Set (mathematics) Parameter (computer programming) Menu (computing) Formal language Power (physics) Mathematics Graphical user interface Semiconductor memory Core dump Cuboid Address space Physical system Stochastic process Standard deviation Mapping Haar measure Mathematical analysis Markov chain Graphical user interface Pointer (computer programming) Process (computing) Computer hardware Function (mathematics) Password Buffer solution Volumenvisualisierung Resultant Spacetime Flag
Stochastic process Server (computing) Inverse function Functional (mathematics) Standard deviation Stochastic process Service (economics) Computer file View (database) Special unitary group Profil (magazine) Graph coloring Arithmetic mean Graphical user interface String (computer science) Cuboid File viewer Physical system
User interface Stochastic process Functional (mathematics) Server (computing) User interface Constructor (object-oriented programming) Cellular automaton Database transaction Exploit (computer security) Graph coloring Power (physics) Graphical user interface Graphical user interface Computer configuration Personal digital assistant Core dump Volumenvisualisierung Social class Pattern language Remote procedure call Curvature Pole (complex analysis) Social class Physical system
Server (computing) Graph (mathematics) Texture mapping Exploit (computer security) Continuous function Leak Graphical user interface Pointer (computer programming) Virtual reality Read-only memory Function (mathematics) Spacetime Modul <Datentyp> Address space Physical system Address space
Axiom of choice Mapping Texture mapping Shared memory Memory management Exploit (computer security) Continuous function Mereology Twitter Semiconductor memory Spacetime Address space Spacetime Address space
Host Identity Protocol Range (statistics) Shared memory Exploit (computer security) Principle of maximum entropy Range (statistics) Field (computer science) Mathematics Data management Ring (mathematics) Read-only memory Semiconductor memory Square number Spacetime Address space Spacetime
Trail Dataflow Server (computing) Functional (mathematics) Exploit (computer security) Tracing (software) Field (computer science) Power (physics) Pointer (computer programming) Semiconductor memory Resource allocation Address space Physical system Stochastic process Memory management Shared memory Markov chain Message passing Pointer (computer programming) Visualization (computer graphics) Function (mathematics) Buffer solution Volumenvisualisierung Object (grammar) Table (information)
Markov chain Server (computing) Module (mathematics) Content (media) Exploit (computer security) Markov chain Graphical user interface Graphical user interface Core dump Volumenvisualisierung Information security Information security Physical system
so very excited to bring up our next speaker and I'm gonna try this again gen John ginge and on-die gen John died awesome so he is going to talk about owning Android devices how many people have Android devices yeah be afraid be afraid he's coming for your things let's give our next speaker a big round of applause I had a great time man thank you Joe hi everyone today I will present how we pounds the targets targets and one the largest funk country in the history of Azhar program orange early Michaelis Hong Kong and Avenue Yong came to explain to you but Jack Renauld calm due to the whistle as we know the pigs phone is protected by many layers of security in the 2017 mobile pantry on samsung iphone have been found many times but only pig Azara was a survivor no research no researchers even to challenge it but our team discovers a working installed chain which could comprise the pigs phone remotely because obvious severity of our detailed report we were award the highest reward in the history of the SR program next I will show the details
first introduce myself and my college amer research security researcher at 360 our team and focused and or systemic security research vulnerability hunting and exploiting Hong Kong since the senior security researcher at our team and he focused on Android and Chrome security research has spoken as server security conference and the winner at many femurs contests like continent on mobile William is a security researcher at 360 alpha team and he focuses on Android system security search in this
talk I will introduce how he found picture we used to banks to pump it sir when we add engine back so comprise a general and other is system server but that is used to in scabs and arrows and achieve elevation of private military I will show the tales later
ESMA agenda this piece menu includes repast how to expose v8 engine back and then expose the back of system server process finally we will make some conclusions so I will show the first part and introduced shared a rebar and we have assembly and then Anna's analysis the first bag of the export chain see we 2017 51:16 and then our I will talk about how to exploit the winner ability sherry buffer objects is
used to represent a generic finish the lens Rob binary data buffer similar to the array buffer object we add things down zero introduced support for shell arriba ver aloe lever mechanism to share memory between between JavaScript's workers and a synchronous counter flow across worker's salary ba forgive jugs JavaScript's axis to share a certain memory Atomics and if antics share our shared array buffers also unlocks ability to post rate applications to the web where ASM down Jess or assembly [Music] unfortunately Jerry barber was December but before in or major brothers on January 2018 in response to marathon inspect G we but we reported the bug on July 2017 so not affected maybe the webby never in the future it's worth paying attention to Valis emily is a new tab of code that can be run in the modern web brothers it is a low-level assembly like language with a compact binary format that advanced with near native performance and a profile language such as C or C++ with your complication taggi so that they can run on the web it is also designed to run alongside our script a lion pose to work together here is amber
how to invoke the function that is export from the simple town tab SSM file
okay I introduced some basic mental knowledge so and our analysis we get back in detail the vulnerability was fixed in chrome 16 one down the road down 16 163 79 so from a 62% priorities may be effect by combined three features shared a rim remember where I was simile and a web a walker in chrome and lob access can be triggered through a rest condition simply speaking valve assembly
codes can be put into a shell array buffer and then transferred to a web worker saying the man's reach process the valve assembly code the worker switch can modify the code at the same time which causes an open access
here's a bucket the bucket code tobacco is in the function get first arguments as bass well the arguments a rjs may be an array array buffer or tabs array objects other Sharapova is imported to JavaScript the tabs re can be backed by a shed every barber so the content of the tabs array can be motivated by by other works with at the same time hater PLC to walk us with motivators valve assembly code at the same time another trail is posting the code yes the valve assembly code is put into a certain rib buffer then it asks about object is created using the shed every barber as a buffer out of that a worker thread is created and it's a shell every barber is passed to the nearly creative workers rate where the man the main thread is person the valve assembly code the workers rates modifiers the shadowy barber after the men's race bunk bunk check the in instruction called zero can be motivated by the workers read two core 128 and then we passed and compared by the mass rate so OB access occurs
the layers pad is December decode the instruction Coursera was motivated to to core 128 making OB access so-called zero
instruction can be motive and to call any other valve assembly function so the exploitation of this back is cheerful straightforward if cord zero is motivate to call it dollar league with jesters and stack of contents are dumped to valve assembly memory because fountain 0 and a function dollar leak have a different number of arguments to result this result in many used for pieces of data in the stack been leaked sorry we
cannot modify the instruction called 0 any any core function X instruction can be modified assume function X is a web web table SM function with 6 arguments as shown above when we add complies the function ace in in s3 32 architecture the first five arguments are passed through the registers and the six arguments is pastor stack all the arguments can be said to any value but I've screamed
so much off-speed function calls a webassembly function we add compare Chris rjs 2:30 a.m. function internally after completion the chartfield function will called us to tell sm function and then j s2 tau s sm w sm function we're called the valve assembly function J as 2 SS m function use different core convention its first arguments is pastor stack so if we modify core function X to coach sts-2 table sm function what we are having the GS to table sm function will check the six elements of function x as is the first augment but unit X is first argument as an optical pointer so type confusion will be trackers when the argument is passed to the to number function this means we can pass any values at an object pointer to the truth number function thus we can fake an array buffer objects in some areas such as inaudible array and pass the address to tune to number function exploits of
an AOP accessing we add is straightforward you release root these few steps dig a rebars content and then take an array buffer a tab or array by using dictator next pass effects rebars address to to number modify packing store and path length of the array buffer in core bag can get a laboratory memory read and write and and finally of vanity ID code we circled a lot of researchers have talked about the exploiting mesos I will not explain this in detail health patch just copy the web assembly code and to purse without using shared memory next I will talk about the
second bag over the for exploit chain analysis the back and introduced a way to escape standard pools and so how is point apart the center box if it's curved up is caused by map and a math mistake and of course are used after on map you see the bagra code is in the function the Ralph map and a develop a map both languages I in lab the other Valerie map motor derived map maps a graphic buffer to memory space the develop the the graphic power is contoured that argument argument standard but the handler pointer is countered by crew renderer process where I'm adding the map address plus the plus and opposite and and is assigned to a base pointer the mapped memory will be all mapped in function G Ralph a map let's have a look well
imagine base pointer is passed to this system core on map give actually without Minister over set the offset is not used at all as a result map on a map are mismatched however the member the member the member of a set can be menu many manipulatives from Chrome's thunderballs process so it's password to a map any pages in system server from Chrome's center browse window process we have
achieved our ze but if we want to tracker the system server back from the from the room we have to pass the Sun herbals then our introduced a way to escape thunderballs in the future we can see that clue is a sandbox the process to oscillate his abdomen from the SE police file of oscillated a PP a view service like a nativity service can be caught in center box process also we can
get activity service from the standard box process the when studying activity function inverse not isolated color will be involved invoked which will check if the color is is in isolated a DeVito mean because of SELinux master system service has have been steadied restricted to access from center post process and view and a viewer functions can be called in the isolated Arab domine attack service is getting narrow from the coast we can see that this path
various restrictions we will still found a in generous way that can get renderer process which system server by pounding core Panzer Corps with passport object-- a lot of classes impaired implement the interface possible the member function creates from pattern of all these classes can be called from Chrome's center poles using bound called Panzer Corps graphic power is zat whot is used in the exploitation I will talk about it later
this is the case to reach system server avoid avoiding enforce north atlanta color and it's remote transact by Panzer Corps the bounder be passed from renderer is first in activity options constructor so we get away to reach
system server from Chrome court treats from passer to creep under encapsulate encapsulated with graph paper and called the pounder method comfort to translucent and pass some ministers bounder to system server exploit back we
completely exploit through the six steps shown above next our detail is step step one address
space champion we met as we make the address space layout looks at show above he drank he blank is right above some continuous a shared memory mapping step
to tracker the bad a Mac a map part of heap and an and and shared a shared memory a map for K for killer pass inhale plank and to two million to 2 million Mina's fourth K fkp in share memory shared memory 29 so there is choice to M gap between heap trend and jump a share memory 29
step three field a math space with an with an s a sh mem memory the gap is filled with a shared memory 1000 or one
step 4 square the hip the hip theater will be writing to just to the shared memory the hip manager gives the memory ring range between the to read address is your mongers buy it and where allocates memory from this range without in hip data is writing to a shared memory step 5
allocates traffic buffer objects in a share the memory overwrite feature of engine printer because the field a shared memory in step 3 in step 3 is mapped both both in post by system server and a renderer process pass or heap of a system server can be read and writing by renderer process and we can try our system server to allocate some graphic power object in a shared memory we can read virtual table of a graphic buffer object and overwrite the visual function pointer by writing to a shared memory
step 6 as traffic buffer is inherited from our EFS which has a memory member function named on last a strong re F we can read for table or trace from a shared memory and then can calculate the address of function last strong last one re f we found some ROP s chance in lab UI and more eval the virtual table of graphing power to track tracker R or L P well graphic buffer objects is these deconstructed the virtual function last one are you f is called so we can replace this finish this visual for function to jump to our Opie when GC happens the counter flow goes to our Opie
so
okay finally let's summarize the contents of this talk first we compress a chrome renderer is we add path and then we achieve getting the privilege of a system server by using an in generous way to escape center pose and exploiting the back see we 2017 one for 904 compiles we complete the for we promote exploit chain all of these bars have already fixed security updates of December 2017 stance to our colleagues at our team and core team that's all thank you [Applause]
Feedback